RE: Can you send mail without sendmail?

From: Kalum / Grendel <kalum delrom ro>

To: Ryan Waldron <rew erebor com>

Cc: <redhat-install-list redhat com>

Subject: RE: Can you send mail without sendmail?

Date: Wed, 29 Aug 2001 19:38:44 +0600 (LKT)

On Tue, 28 Aug 2001, Ryan Waldron commented thusly,
> > > If you aren't allowed to have services running, then it won't matter
> > > whether it's postfix or sendmail running as a service.
>
> > Of course it will matter, assume that you are running sendmail and
> > its a buggy version (if you are running sendmail and havent upgraded
> > a few days ago then you are open to a root exploit with a local user
> > being able to
>
> Umm...tiny clue - if you're NOT allowed to run the daemon, and you
> DON'T run it, then it doesn't matter if you have installed the
> sendmail-all-root-exploits.tgz to your source tree.
You didnt mention about NOT RUNNING it.
> > Albeight consuming 30mb of ram while idling, hogging the CPU, etc etc
> > etc...what a disaster.....
>
> I run sendmail at kansas.erebor.com. You're a genius, sendmail
> sucks, etc. Have at it.
Of course sendmail sucks, I or anyone else doesnt have to be a genius to
figure that out. All you need is a mouse and one finger working to be
able to visit <http://www.securityfocus.com/headlines/12309> to figure it
out.
> Put your money where your mouth is - r00t my machine via sendmail or
> shut up.
Let me rephrase it, we all know that there have been 2 challenges
with a reward of 1000$ being offered to anyone who cracks qmail, both of
which went on running for 2 years were unclaimed.
So if you are so brave, why dont you setup your sendmail box, and issue a
challenge with a reward of 1000$ for anyone who hacks in to it via
sendmail.
I expect you to go ahead with it if you beleive in sendmails security, if
you dont put up the 1000$ reward, then please explain your reasons for not
doing so (apart from a possible lack of money ;). If you dont do it the
only reson that we can expect is that you really are afraid of sendmails
legendary insecurity, and cant backup your boasting with a hard test.
Remmeber we qmail guys have done it twice and not one person claimed it.
So why dont you sendmail guys do it too and see what the results are, if
it goes unclaimed (despite adequte publicity) then you can claim that
sendmail is secure.
Best Wishes,
Grendel
--
.---------------------.---------------------.----{)--.
| /"__ ._ _ _ _| _ |`-. kalum delrom ro .-'(]__/|| |
| \__/ | (-'| |(_|(-'l_ `-===============-' [_] .-: |
`--------------------------------------------/|\/| |-'
all your chix are belong to us.